| |
Current Topic: Miscellaneous |
|
Old school Computer games using <CANVAS> |
|
|
Topic: Miscellaneous |
9:29 pm EDT, Oct 8, 2009 |
This article talks about a guy who ported some older Sierra computer games to the browser using the CANVAS tag. Thats not whats cool. What is cool is this: I was able to convert the logic to javascript, but there was one big problem: Sierra’s code used GOTO statements, and those could jump anywhere in the code, even inside a nested “if”-statement. It seemed unsolvable in javascript. I sat down together with Sjoerd Visscher, one of my collegues at Q42, and we came up with a solution. Using a decompilation approach to get rid of nested “if”-statements and putting the whole shebang inside a huge switch/case statement, we could mimic line numbers and GOTO’s while maintaining performance. World domination was within reach :-D
He is emulating line numbers using a giant SWITCH Case where each "case" statement is a line number! Neat hack! Old school Computer games using <CANVAS> |
|
A Method of Identifying Web Applications |
|
|
Topic: Miscellaneous |
1:04 am EDT, Oct 8, 2009 |
When I've thought about application fingerprinting in the past its fallen into 2 categories: Passive: Detect applications by examining a streams of data that was generated for some other purpose. Examples include: Banner Grabbing or regexing pages for certain phrases like "Powered By" or <META> Generator tags. Active: Probe the app for certain, unlinked files. Fingerprinting can be done with detecting the presence of files, hashing their contents, or regexing for specific identifiers. The JavaScript port scan I developed back at SPI used the presence of files to fingerprint, while Nikto's Favicon fingerprinting uses MD5s of /favicon.ico, and Backend Info uses file probes + regexs. This is an interesting paper the discusses a new(ish) way to passively fingerprint web applications: Link Structure and Forms. I say newish because while at SPI/HP we would often uses Regexs to examine hyperlinks or CSS/JS includes to roughtly detect apps. This was more of a coarse "should I try and send this attack" filter and not a "this page is definitely running phpXYZ version 1.2.3" detection. Essentially, this paper dicusses using the common and repeated structure of links and their parameters, as well as forms and there inputs/types to create signatures for applications. The results are pretty impressive, and I like that its passive! A Method of Identifying Web Applications |
|
Topic: Miscellaneous |
4:42 pm EDT, Oct 7, 2009 |
Web App Version detection using fingerprinting Good security practice tell us to only give our users the minimum privilege and least information necessary to do their jobs. Because of that, many people choose to hide the version of their systems and applications from outsiders. It means we go around disabling banners, removing generators and headers from many of our servers, but sometimes it might not be enough for hide which version of a web application that you using.
Say this a few months ago, refound it today. Very cool. Webapp version detection |
|
Memo To Google: Stop Screwing with IE Security! |
|
|
Topic: Miscellaneous |
3:58 pm EDT, Oct 7, 2009 |
I'm not sure how long this has been going on, but Google owned websites are turning off Internet Explorer 8's Cross Site Scripting Filter. This is unbelievably stupid. Google websites like FeedBurner and Blogger are including the X-XSS-Protection HTTP header to tell IE8 to disable its reflected XSS detection! See for yourself. Here are the headers for https://www.blogger.com/start:
HTTP/1.1 200 OK
Set-Cookie: [SNIPPED]
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Wed, 07 Oct 2009 19:53:41 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Server: GFE/2.0
Transfer-Encoding: chunked
Again, I am shocked at how utterly stupid this is. Google is downgrading the security of its website visitors! IE's XSS filter is designed to detect reflected XSS attacks that appear in the query string of a Url. This is a Very Good Thing(tm). While there is a remote possibility that HTML markup passed in the query string of a URL could cause the XSS filter to false positive you really should not have web apps whose design allows chunks of markup passed around the applicaiton in user controlled fields. There is simply no reason anyone should ever use the header X-XSS-Protection. Period. Let alone Google. Ping to Rich Canning... [PING]... |
|
Windows Mobile 6.5 Review: It Still Sucks. |
|
|
Topic: Miscellaneous |
5:12 pm EDT, Oct 6, 2009 |
Take a Buick Lasabre. No, no, not a cool one from the late 1950s. Take one from the early 90’s, like the ones they use on cop shows. Now, strap a spoiler on it. The Lasabre is Windows Mobile. The Spoiler is all of the stuff 6.5 brings.
HAHA! This made me fall out of my chair. At least Microsoft got out in front of this with when Steve Ballmer set expectations a few months back. Having played with countless coworkers' phones during dev meeting at HP (yet another strategy to not shot myself in the head), I can say with conviction that Windows Mobile sucks. The stylus feels so 2002. The navigation control were were horrible. And don't get me started on Mobile IE. Holy god. While I've come to really like IE8 and where the IE team is moving things my opinion of Mobile IE is... ... poor to say the least. Think of your feelings for IE6. Around 2004. As you implemented another CSS hack. Now times that by 2.75. There you go. thats my feeling on Mobile IE. Compared to Windows Mobile 6.1, both are wonderful, wonderful improvements. Compared to any other phone, it’s still pretty terrible.
This sums my thoughts nicely. On the positive side, it *is* good to see innovation. When you suck alot, expectations are low and there lots of room to improve! I only hope that the Apple and RIM keep the pressure up and force this space to improve. As much as I like the iPhone's interface the absolute bullshit that is the AppStore inclusion policies and the Flash-on-the-iPhone fiction needs a strong balance. Windows Mobile 6.5 Review: It Still Sucks. |
|
Hacking Challenge Results |
|
|
Topic: Miscellaneous |
2:08 am EDT, Oct 6, 2009 |
The challenge had both an internal HP and a public online component, with the purpose of teaching people about security by putting them through a series of challenges. Those challenges were based on real-world login examples, with participants trying to figure out how to break in by taking advantage of Web application security vulnerabilities.
My former co-workers at HP held the hacking challenge I mentioned last month Wood said 446 individuals participated in the hacking challenge, of whom 52 percent were able to solve the first challenge, which was a JavaScript log-in that could be determined and bypassed by a researcher if they simply viewed the underlying HTML source code. "They viewed the source code and were able to understand the JavaScript," Wood said. "It gives you a good baseline of how many people understand what is on the Internet and how willing they are to explore a Web page beyond just looking at a page inside of a browser."
Well that's disappointing. If I remember correctly stage one was plain text authentication done on the client-side using JavaScript!!! In fact you didn't even need to read out the username/password because it simply did a window.location style redirect! The URL for stage two was right there! While more than half the participants could solve the JavaScript challenge, by the fifth level only 9 percent of the 446 participants made the cut. The fifth challenge involved a SQL injection vulnerability that participants needed to exploit. SQL Injection attacks are among the most commonly found type of vulnerabilities. The Heartland Payment Systems security breach, which nabbed over 130 million credit cards, stemmed from a SQL Injection. The challenges were not just theoretical scenarios. "Basically, the challenges were very distilled versions of examples we saw online," Wood said. The most difficult level of the HP hacking challenge was the hidden sixth level, which only two people were able to solve. Wood declined to detail the vulnerability, though he did hint at what it involved.
I seem to remember this version of the challenge having 13 levels. Matt must have trimmed it. Other stages were Java Applets, Flash with unsalted SHA-1s, and other cool stuff. Cool stuff! I hope Matt hauls his butt up to Phreaknic or uses this at some other regional hacker con. These results show there is an obvious need for some schooling! Hacking Challenge Results |
|
Topic: Miscellaneous |
2:03 pm EDT, Oct 5, 2009 |
Yahoo already has a large presence in India, reaching 26 million of the 35 million online Indians (according to Comscore, August 2009)
This article is about Yahoo. But that's not important. What is important is that, according to Comscore, in a country with 1.154 billion people only 35 million of them have internet access. ... Thats 3% of the population. ... On this site India is said to have an 81 million internet users. Thats 7% of the population. Now I'm not sure where the 100% difference in India numbers come from, or whether phones are included. The CIA puts the number of Internet users of India at 70 million. Regardless, a very small fraction of people have access to one of the most powerful resources in history. To put this in contrast, Uzbekistan has more Internet penetration than India. Yes, a country whose dictator boils people to death has more of its population using the Internet than the largest democratic republic in the world. Just let that sink in. India |
|
Topic: Miscellaneous |
12:58 pm EDT, Oct 5, 2009 |
Madison had been found using a police scanner and Twitter to help numerous protesters avoid police during the Group of 20 summit and has now been charged with hindering apprehension or prosecution, criminal use of a communication facility, and possession of instruments of crime
Instruments of Crime would be a kick ass name for a band! Or hacker group. I wonder if red boxes and tone dialers are still instruments of crime. Instruments of Crime! |
|
Topic: Miscellaneous |
12:52 pm EDT, Oct 5, 2009 |
I hate it when people use the phrase "Orders of Magnitude" incorrectly. Ok, yes I agree, more people know about botnets in 2009 than 2008. If I take 100 random people in 2008 maybe 2 could tell me what a botnet is. So in 2009 if, say, 6 people now know what a botnet is, that's not a single order of magnitude, let alone plural orders of magnitude. Say something like 300% growth or tripled or something. [sigh] Am I being a technical snob by getting annoyed when people misuse scientific terms to sound smart? [sigh] |
|
Topic: Miscellaneous |
3:34 am EDT, Oct 4, 2009 |
some In-and-Out burger. I'm also need redbull. lots and lots of redbull. right now. |
|